[Federal Register Volume 63, Number 234 (Monday, December 7, 1998)]
[Proposed Rules]
[Pages 67524-67529]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-32333]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

[Docket No. 98-15]
RIN 1557-AB66


``Know Your Customer'' Requirements

AGENCY: Office of the Comptroller of the Currency, Treasury (OCC).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The OCC is proposing to issue a regulation requiring national 
banks to develop and maintain ``Know Your Customer'' programs. As 
proposed, the regulation would require each bank to develop a program 
designed to determine the identity of its customers; determine its 
customers' sources of funds; determine the normal and expected 
transactions of its customers; monitor account activity for 
transactions that are inconsistent with those normal and expected 
transactions; and report any transactions of its customers that are 
determined to be suspicious, in accordance with the OCC's existing 
suspicious activity reporting regulation. By requiring banks to 
determine the identity of their customers, as well as to obtain 
knowledge regarding the legitimate activities of their customers, the 
proposed regulation will reduce the likelihood that banks will become 
unwitting participants in illicit activities conducted or attempted by 
their customers.


[[Page 67525]]


DATES: Comments must be received by March 8, 1999.

ADDRESSES: Comments should be directed to: Communications Division, 
Office of the Comptroller of the Currency, 250 E Street, SW, 
Washington, DC 20219, Attention: Docket No. 98-15. Comments will be 
available for public inspection and photocopying at the same location. 
In addition, comments may be sent by fax to (202) 874-5274, or by 
electronic mail to [email protected].

FOR FURTHER INFORMATION CONTACT: Robert Pasley, Assistant Director, 
Enforcement and Compliance Division (202) 874-4879; Thomas Fleming, 
Compliance Specialist (202) 874-4879, or Susan Quill, Compliance Expert 
(202) 874-4879, Community and Consumer Policy; or Mark Tenhundfeld, 
Assistant Director, Legislative and Regulatory Activities Division 
(202) 874-4879.

SUPPLEMENTARY INFORMATION:

Background

    The integrity of the financial sector depends on the ability of 
banks and other financial institutions to attract and retain legitimate 
funds from legitimate customers. Banks are able to attract and retain 
the business of legitimate customers because of the quality and 
reliability of the services being rendered and, as important, the sound 
and highly respected reputation of banks. Illicit activities, such as 
money laundering, fraud, and other transactions designed to assist 
criminals in their illegal ventures, pose a serious threat to the 
integrity of banks. When transactions at banks involving illicit funds 
are revealed, these transactions invariably damage the reputation of 
the banks involved. While it is impossible to identify every 
transaction at a bank that is potentially illegal or is being conducted 
to assist criminals in the movement of illegally derived funds, it is 
fundamental for safe and sound operations that banks take reasonable 
measures to identify their customers, understand the normal and 
expected transactions typically conducted by those customers, and, 
consequently, identify those transactions conducted by their customers 
that are suspicious in nature. By identifying and, when appropriate, 
reporting such transactions in accordance with existing suspicious 
activity reporting requirements, banks are protecting their integrity 
and are assisting the efforts of the bank regulatory agencies and law 
enforcement authorities to combat illicit activities at financial 
institutions.
    One of the most effective means by which a bank can both protect 
itself from engaging in transactions designed to facilitate illicit 
activities and ensure compliance with applicable suspicious activity 
reporting requirements is for the bank to have adequate Know Your 
Customer policies and procedures. By knowing its customers, a bank is 
both better able to serve the legitimate needs of its customers and to 
fulfill its compliance responsibilities, including its Bank Secrecy Act 
and suspicious activity reporting requirements.
    Recognizing that a Know Your Customer program for one bank will not 
necessarily be appropriate for another, the proposed regulation focuses 
on the basic components that the OCC believes should be contained in 
any Know Your Customer program. In supplemental guidance to be provided 
at the time this regulation becomes final, the OCC will provide further 
information about specific steps that banks may consider taking to 
ensure that their Know Your Customer programs comport with the 
regulations. The OCC believes that this approach strikes an appropriate 
balance that responds to requests for additional guidance in this area 
while preserving the flexibility for each bank to take steps 
appropriate for the size and complexity of its business.

Privacy Issues

    The proposed regulation requires banks to gather information about 
customers that, if misused, could result in an invasion of a customer's 
privacy. Accordingly, it is the OCC's expectation that, in complying 
the Know Your Customer regulation, a bank will obtain only that 
information that is necessary to comply with the regulation and will 
limit the use of this information to complying with the regulation. 
Financial institutions need to safeguard and handle responsibly the 
information gathered in connection with complying with these 
obligations, and should integrate comprehensive privacy practices into 
their Know Your Customer programs.

Authority to Issue Regulation

    The proposed regulation is authorized pursuant to the OCC's 
statutory authority under section 8(s)(1) of the Federal Deposit 
Insurance Act (12 U.S.C. 1818(s)(1)), as amended by section 2596(a)(2) 
of the Crime Control Act of 1990 (Pub. L. 101-647), which mandates that 
the OCC issue regulations requiring banks under its supervision to 
establish and maintain internal procedures reasonably designed to 
ensure and monitor compliance with the Bank Secrecy Act. Effective Know 
Your Customer programs serve to facilitate compliance with the Bank 
Secrecy Act.

Proposal

    The OCC proposes to revise 12 CFR Part 21 by requiring national 
banks to develop and implement Know Your Customer programs. Under the 
proposed regulation, the OCC would expect each bank to design a program 
that is appropriate given the bank's size and complexity, the nature 
and extent of its activities, its customer base and the levels of risk 
associated with its various customers and their transactions. The OCC 
believes that this approach is preferable to a detailed regulation that 
imposes the same list of specific requirements on every bank regardless 
of its circumstances.
    Each of the other Federal bank supervisory agencies is proposing to 
adopt Know Your Customer regulations covering state member and 
nonmember banks, state-chartered branches and agencies of foreign 
banks, and savings associations.1 The OCC also has been 
discussing with the Federal regulators of non-bank financial 
institutions, such as broker-dealers, the need to propose similar rules 
governing the activities of these non-bank institutions.
---------------------------------------------------------------------------

    \1\  As of the date this proposed rule was signed, the National 
Credit Union Administration was still reviewing the issue of whether 
to adopt a regulation that would create similar Know Your Customer 
obligations for credit unions.
---------------------------------------------------------------------------

Section-by-Section Analysis

    The OCC proposes to add a new Sec. 21.22. The various components of 
the Know Your Customer rule are summarized below.

Purpose and scope (Sec. 21.22(a))

    The purposes of adopting a Know Your Customer program are to 
protect the reputation of the bank; to facilitate the bank's compliance 
with all applicable statutes and regulations (including the Bank 
Secrecy Act and the OCC's suspicious activity reporting regulations) 
and with safe and sound banking practices; and to protect the bank from 
becoming a vehicle for, or a victim of, illegal activities perpetrated 
by its customers. The rules apply, as a general matter, to all national 
banks. However, the rules do not apply to credit card banks, bankers' 
banks, or other banks that operate solely to service the activities of 
their affiliates. The OCC recognizes that certain banks operate solely 
to service the activities of their affiliates or other banks and, in so 
doing, do not interact in any manner with any public customers. The OCC 
does not intend the proposed regulation

[[Page 67526]]

to impose any requirements on those banks.
    The rules also apply to all Federal branches or agencies of foreign 
banks licensed or chartered by the OCC. The OCC expects U.S. banks to 
implement Know Your Customer systems in their overseas branches that 
are equivalent to those that they have in the United States in order to 
minimize the risk to the bank posed by illegal activities in the 
overseas branches.

Definition of Customer (Sec. 21.22(b))

    The proposed regulation defines the term ``customer'' as any person 
or entity who has an account involving the receipt or disbursal of 
funds with an institution covered by this regulation and any person or 
entity on behalf of whom an account is maintained. If, for instance, a 
bank knows that an account is opened on behalf of a third party, the 
bank will need to treat as a customer both the person or entity opening 
the account and the person or entity for whom the account is opened. 
The regulation applies to deposit accounts, loan accounts, and any 
other type of account involving the receipt or disbursal of funds. It 
does not include, for instance, transactions such as renting safe 
deposit boxes.
    Except for the provisions regarding identifying customers (see the 
discussion of paragraph (d)(2)(i) of the proposed rule, below) the 
proposed regulation does not differentiate between current customers 
and new customers. The effectiveness of a bank's Know Your Customer 
program would be greatly reduced if all customer accounts in existence 
prior to the effective date of the regulation were excluded from its 
scope. However, the OCC does not believe that it is practicable for a 
bank to conduct a large-scale information request from all its existing 
customers. Rather, a bank may comply with the proposed regulation with 
respect to its current customers by determining their normal and 
expected transactions using available account data and monitoring their 
transactions for suspicious activities. However, depending on the 
nature of the risk associated with some customers and their 
transactions (for instance, transactions involving private banking 
customers), it may be necessary to fulfill all of the requirements of 
this regulation as if they were new customers.

Establishment of Know Your Customer Program (Sec. 21.22(c))

    This section requires that each bank establish a Know Your Customer 
program by April 1, 2000. Additionally, this section requires that the 
Know Your Customer program be reduced to writing and approved by the 
board of directors of the bank, or a committee thereof, and the 
approval recorded in the official minutes of the board.

Contents of Know Your Customer Program (Sec. 21.22(d))

    This section sets forth the specific requirements for the contents 
of the Know Your Customer program. As previously noted, the OCC 
believes that to impose a regulation that requires each bank to follow 
a pre-designed, standardized checklist would not be appropriate. The 
proposed regulation thus allows each bank to develop and delineate a 
system that will comprise the Know Your Customer program, consistent 
with the banking practices of the particular bank that, when followed 
by the bank, will effectively meet the requirements and goals of the 
regulation.
    Section 21.22(d) reflects the OCC's recognition that each bank's 
Know Your Customer program may vary depending on the nature of the 
specific activity, the type of customers involved, the size of the 
transactions, and other factors that reflect the bank's assessment of 
the risk presented. In complying with this section, it may be 
beneficial for banks to classify customers into varying risk-based 
categories that the banks can use in determining the amount and type of 
information, documentation and monitoring that is appropriate. While 
the proposed regulation will provide banks with substantial flexibility 
in devising an appropriate Know Your Customer program, the OCC believes 
that all Know Your Customer programs should contain certain critical 
features, which are discussed below.
Documentation and Due Diligence
    Paragraph (d)(1) of Sec. 21.22 requires that the Know Your Customer 
program delineate acceptable documentation requirements and due 
diligence procedures the bank will follow in meeting the requirements 
of the proposed regulation. The delineation of this information in the 
Know Your Customer program will ensure that the same standards are 
applied throughout the bank and will inform auditors and examiners of 
the bank's established standards for review of customer information.
Minimum Steps to Take to Comply With the Know Your Customer Rule
    Paragraph (d)(2) of Sec. 21.22 sets forth the steps a bank needs to 
take in order to know its customers. These steps are discussed below.
    Identify the customer. Paragraph (d)(2)(i) requires that the Know 
Your Customer program provide a system for determining the identity of 
new customers. If a bank has reasonable cause to believe that it lacks 
sufficient information to know the identity of an existing customer, 
paragraph (d)(2)(i) also requires that the program provide a system for 
determining the identity of that customer.
    It is imperative that a bank establish, to its own satisfaction, 
that it is dealing with a legitimate customer, whether the customer is 
a natural person, corporation, or other business entity. The nature and 
extent of the identification process should be commensurate with the 
types of transactions anticipated by the customer and the risks 
associated with such transactions. If a bank is unable to establish the 
identity or legitimacy of the customer, sound practices require that 
the bank not open the account (or terminate the account if the bank 
lacks adequate information to know the identity of an existing customer 
and is unable to obtain the information).
    The best identification documents for verifying the identity of 
prospective customers are the ones that are the most difficult to 
obtain illicitly and the most difficult to counterfeit. No single form 
of identification can be guaranteed to be genuine, however. Therefore, 
the identification process should be cumulative, obtaining enough 
information and documentation to assure the bank that it has adequately 
identified the prospective customer. For individual accounts, this 
might include, for instance, a photograph and signature of the 
individual. For corporate or business customers, the customer 
identification process could include the review of appropriate 
documentation that allows for a means to verify that the corporation or 
other business entity does exist and does engage in the business, as 
stated. All documentation reviewed, as well as verifications of the 
information contained therein, should be recorded and maintained by the 
bank.
    Any practice of a bank that allows for the establishment of a 
customer relationship without face-to-face contact with bank personnel, 
such as banking by mail or Internet banking, poses difficulties in the 
identification of the prospective customer by use of the traditionally 
accepted practice of obtaining photographic identification. Even though 
photographic identification in such circumstances will be impractical, 
other accepted means of identifying a customer are still viable. In 
such circumstances, special care should

[[Page 67527]]

be given to verification of address and telephone number.
    If a bank offers private banking services, it is important that the 
bank understand a customer's personal and business background, source 
of funds, and intended use of the private banking services. Typically, 
private banking customers are clients of financial advisors or make use 
of account vehicles such as personal investment companies, trusts, and 
personal mutual investment funds. The establishment of such accounts 
protects the legitimate confidentiality and financial privacy of the 
customers who use such accounts. However, banks need to identify 
properly the beneficial owners of such accounts in order to have an 
effective Know Your Customer program. Any needed confidentiality 
required by customers of a bank's private banking department can be 
addressed by the development of special protections to limit access to 
information that would generally reveal the beneficial owners of those 
accounts.
    Introductions or referrals of prospective customers by established 
customers of the bank, while extremely valuable in providing background 
information about the prospective customer, cannot take the place of 
identification requirements that should be set forth in the bank's Know 
Your Customer program. Details regarding the introduction or referral 
should be documented so that the information obtained can be 
effectively used to assist in the verification of the prospective 
customer.
    Determine the source of funds. Paragraph (d)(2)(ii) requires that 
the Know Your Customer program provide a system for determining the 
source of a customer's funds. The amount of information needed to do 
this can depend on the type of customer in question. As an example, if 
a retail banking customer maintains demand deposit accounts funded 
primarily from payroll deposits, it should be a relatively simple task 
to identify and document the source of funds as payroll deposits. On 
the other hand, a more detailed analysis, with a more extensive 
documentation process, would be required for high net worth customers 
with multiple deposits from a variety of sources. For these reasons, 
among others, it may be beneficial for banks to classify customers into 
varying categories, based on factors such as the types of accounts 
maintained, the types of transactions conducted, and the potential risk 
of illicit activities associated with such accounts and transactions. 
Banks could then develop procedures to obtain necessary information and 
documentation based on the risk assessment for the various categories 
or classes established by a bank.
    Determine normal and expected transactions. Paragraph (d)(2)(iii) 
requires that the Know Your Customer program provide a system for 
determining a customer's normal and expected transactions involving the 
bank. Without this information, a bank is unable to identify suspicious 
transactions. A bank's understanding of a customer's normal and 
expected transactions should be based on information obtained both when 
an account is opened and during a reasonable period of time thereafter. 
It also should be based on normal transactions for similarly situated 
customers.
    Monitor the account transactions. Paragraph (d)(2)(iv) requires 
that the Know Your Customer program provide a system for monitoring, on 
an ongoing basis, the transactions conducted by customers and 
identifying transactions that are inconsistent with the normal and 
expected transactions for particular customers or for customers in the 
same or similar categories or classes. The proposed regulation does not 
require that every transaction of every customer be reviewed. Rather, 
it requires that a bank develop a monitoring system that is appropriate 
for the risks presented by the accounts maintained at that bank.
    In designing a monitoring system, a bank may choose to classify 
accounts into various categories based on factors such as the type and 
size of account, the types, number, and size of transactions conducted 
in the account, and the risk of illicit activity associated with the 
account. For certain classes or categories of accounts, it would be 
sufficient for an effective monitoring system to establish parameters 
for which the transactions within these accounts will normally occur. 
Rather than monitoring each transaction, an effective monitoring system 
could entail monitoring only for those transactions that exceed the 
established parameters for that particular class or category of 
accounts. For other categories or classes of accounts, such as private 
banking accounts, it may be necessary to monitor each significant 
transaction.
    Determine if transaction should be reported. Once a transaction is 
identified as inconsistent with normal and expected transactions, 
paragraph (d)(2)(v) requires that a bank determine if the transaction 
warrants the filing of a Suspicious Activity Report. This is consistent 
with a bank's existing obligations under 12 CFR 21.11(c). In 
identifying reportable transactions, a bank should not conclude that 
every transaction that falls outside what is expected for a given 
customer should be reported. Rather, a bank should focus on patterns of 
inconsistent transactions and isolated transactions that present risk 
factors that warrant further review.

Compliance with Know Your Customer Program (Sec. 21.22(e))

    This section sets forth the requirements a bank must follow to 
ensure that it is in compliance with its Know Your Customer program. 
The requirements include that a bank provide for and document a system 
of internal controls to ensure ongoing compliance, as well as provide 
for and document independent testing for compliance with the Know Your 
Customer program. Additionally, the bank must designate an individual 
responsible for coordinating and monitoring day-to-day compliance and 
provide for and document training to all appropriate personnel of the 
content and requirements of the Know Your Customer program.

Availability of Documentation (Sec. 21.22(f))

    This section requires, for all accounts opened or maintained in the 
United States, that all information and documentation necessary to 
comply with the regulation be made available for examination and 
inspection, at a location specified by a OCC representative, within 48 
hours of a request for such information and documentation. In instances 
where the information and documentation is at a location other than 
where the customer's account is maintained or the financial services 
are rendered, the bank must adopt, as part of its Know Your Customer 
program, specific procedures designed to ensure that the information 
and documentation is reviewed by personnel at the location where the 
customer's account is located or the financial services are rendered, 
and the bank should provide written evidence that the appropriate 
review of the information and documentation is being performed by the 
personnel at that location on a regular basis.
    While issues arise on occasion concerning whether foreign laws 
permit a bank to disclose certain customer information, the OCC's 
experience is that the information typically already exists within the 
bank in the United States because the information is used by the 
relationship manager, who resides in the United States, as well as 
other components of the bank, to provide banking services to the 
customer. Moreover, in instances where

[[Page 67528]]

banks have raised foreign law disclosure issues, the banks, at the 
OCC's suggestion, have obtained from their customers waivers to any 
perceived prohibition to disclosure of the information and 
documentation. Thus, the OCC does not anticipate that foreign laws will 
preclude the production of information relating to accounts opened and 
maintained in the United States.

Comments Sought

    The OCC invites comment on any aspect of the proposed regulation, 
and specifically seeks comment on the following issues:
    1. Whether the proposed definition of ``customer'' is sufficient to 
include all persons who benefit from an account opened at a bank, such 
as persons who establish off-shore shell companies or entities or 
otherwise conduct their business through intermediaries.
    2. Whether the proposed definition of ``customer'' is too broad and 
will unnecessarily include persons that pose a minimal Know Your 
Customer risk.
    3. Whether a bank's Know Your Customer program should apply to a 
bank's counterparty relationships with respect to transactions in 
wholesale financial markets (e.g., sales or purchases involving foreign 
exchange or securities) and correspondent banking relationships.
    4. Whether a different standard than that applicable to retail 
relationships would be more appropriate for wholesale and correspondent 
banking relationships, and, if such a distinction is appropriate, how 
the definition of ``customer'' can be distinguished between 
transactional counterparty customers, correspondents, and retail 
customers.
    5. Whether the proposed regulation will create a competitive 
disadvantage with respect to other financial entities offering similar 
services that may not be subject to the similar regulations (citing, 
where possible, specific examples) and, if so, what could be done to 
mitigate the disadvantage consistent with the OCC's supervisory 
responsibilities.
    6. Whether the actual or perceived invasion of personal privacy 
interests is outweighed by the additional compliance benefits 
anticipated by this proposal.
    7. Whether there should be a minimum account size threshold below 
which the Know Your Customer requirements should be waived.
    8. Whether credit card banks should be exempt from the regulation.

Regulatory Flexibility Act

    Pursuant to section 605(b) of the Regulatory Flexibility Act (5 
U.S.C. 601 et seq.), the OCC certifies that this proposal will not have 
a significant economic impact on a substantial number of small 
entities. Accordingly, a regulatory flexibility analysis is not 
required. Most banks, from small to large, already have policies and 
procedures aimed at collecting, retaining, and reviewing the types of 
information required by this proposal. Therefore, there should not be a 
significant economic impact from this proposal.

Paperwork Reduction Act

    The OCC invites comment on:
    (1) Whether the proposed collections of information contained in 
this notice of proposed rulemaking are necessary for the proper 
performance of the OCC's functions, including whether the information 
has practical utility;
    (2) The accuracy of the OCC's estimate of the burden of the 
proposed information collection;
    (3) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (4) Ways to minimize the burden of the information collection on 
respondents, including the use of automated collection techniques or 
other forms of information technology; and
    (5) Estimates of capital or start-up costs and costs of operation, 
minutes, and purchase of services to provide information.
    Recordkeepers are not required to respond to this collection of 
information unless it displays a currently valid OMB control number.
    The collection of information requirements contained in this notice 
of proposed rulemaking have been submitted to the Office of Management 
and Budget for review in accordance with the Paperwork Reduction Act of 
1995 (44 U.S.C. 3507(d)). Comments on the collections of information 
should be sent to the Office of Management and Budget, Paperwork 
Reduction Project (1557-KYCP), Washington, D.C. 20503, with copies to 
Office of the Comptroller of the Currency, Communications Division, 250 
E Street, SW, Attention: 1557-KYCP, Washington, D.C. 20219.
    The proposed rule is not expected to significantly increase the 
ongoing annual paperwork burden for the recordkeepers because most of 
the ongoing burden is incurred and accounted for under other existing 
information collections. As discussed in the preamble to the proposed 
rule, banks already must report suspicious transactions, pursuant to 12 
CFR 21.11. Therefore, they already must gather information about 
customers and monitor customer transactions as part of their usual and 
customary activities in order to comply with the suspicious activity 
reporting requirements. Moreover, the OCC has drafted the proposed 
regulation in a way that is designed to give banks as much flexibility 
as possible to design a system that is appropriate for each individual 
bank and generally has not proposed to require compliance with specific 
paperwork burdens.
    The majority of the paperwork burden associated with the proposed 
rule is the one-time burden of developing a plan. In the normal course 
of business, most institutions likely already have sufficient 
information about their customers in their files and would only need to 
organize and review such information. Because each institution would 
design its own program in accordance with its own business practices, 
the OCC estimates that the burden of the proposed rule would vary 
considerably and may range, during the initial year, from 10 to 30 
hours, with an average of 20 hours per recordkeeper.
    The collection of information requirements in this proposed rule 
are found in 12 CFR 21.22(c) and 21.22(e)(3). This information is 
required to evidence compliance with the requirements that the Know 
Your Customer program has been developed and approved by a bank's board 
of directors (or committee thereof) and to identify the person(s) 
responsible for coordinating and monitoring compliance with the 
program. The likely respondents are national banks, District banks, and 
Federal branches and agencies of foreign banks licensed or chartered by 
the OCC.
    Estimated average annual burden hours per recordkeeper: 20 hours 
for the first year, with an average over the first three years of 8 
hours per year.
    Estimated number of recordkeeper: 2,600.
    Estimated total annual recordkeeping burden: 52,000 for the first 
year, with an average over the first three years of 20,800 hours per 
year.
    Start-up costs: None.

Executive Order 12866

    The Office of Management and Budget has concurred with the OCC's 
determination that this proposal is not a significant regulatory action 
under Executive Order 12866.

Unfunded Mandates Reform Act of 1995

    The OCC has determined that this proposal will not result in 
expenditures by state, local, and tribal governments, or by the private 
sector, of $100 million

[[Page 67529]]

or more in any one year. Accordingly, a budgetary impact statement is 
not required under section 202 of the Unfunded Mandates Reform Act of 
1995. Most banks already have policies and procedures aimed at 
collecting, retaining and reviewing the types of information required 
by this proposal and, thus, this proposal should not result in 
substantial additional expenditures.

List of Subjects in 12 CFR Part 21

    Currency, National banks, Reporting and recordkeeping requirements, 
Security measures.

Authority and Issuance

    For the reasons set forth in the preamble, part 21 of chapter I of 
title 12 of the Code of Federal Regulations is proposed to be amended 
as follows:

PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF 
SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM

    1. The authority citation for part 21 continues to read as follows:

    Authority: 12 U.S.C. 93a, 1818, 1881-1884, and 3401-3422; 31 
U.S.C. 5318.

    2. A new Sec. 21.22 is added to read as follows:


Sec. 21.22  Know Your Customer rules.

    (a) Purpose and scope--(1) Purpose. The Know Your Customer rules 
require that national banks and Federal branches or agencies of foreign 
banks establish and regularly maintain procedures designed to determine 
the identity of their customers, as well as their customers' normal and 
expected transactions and sources of funds involving the bank. These 
procedures (referred to as the ``Know Your Customer'' program) are 
intended to: protect the reputation of the bank; facilitate the bank's 
compliance with all applicable statutes and regulations (including the 
Bank Secrecy Act and the suspicious activity reporting requirements of 
12 CFR 21.11) and with safe and sound banking practices; and protect 
the bank from becoming a vehicle for or a victim of illegal activities 
perpetrated by its customers.
    (2) Scope. In general, the Know Your Customer rules apply to all 
national banks as well as all Federal branches or agencies of foreign 
banks licensed or chartered by the OCC. However, the rules do not apply 
to credit card banks, bankers's banks, or other banks that operate 
solely to service the activities of their affiliates.
    (b) Definition of customer. For the purposes of this section, 
customer means:
    (1) Any person or entity who has an account involving the receipt 
or disbursal of funds with an institution covered by this section; and
    (2) Any person or entity on behalf of whom an account is 
maintained.
    (c) Establishment of Know Your Customer program. Each bank shall 
develop and provide for the continued administration of a Know Your 
Customer program by April 1, 2000. The Know Your Customer program shall 
be reduced to writing and approved by the board of directors (or a 
committee thereof) with the approval recorded in the official minutes 
of the board.
    (d) Contents of Know Your Customer program. The Know Your Customer 
program may vary in complexity and scope according to categories or 
classes of customers established by the bank and the potential risk of 
illicit activities associated with those customers' accounts and 
transactions. Components of the program should include the following:
    (1) Appropriate documentation requirements and due diligence 
procedures established by the bank to comply with this section; and
    (2) A system for:
    (i) Determining the identity of the bank's new customers and, if 
the bank has reasonable cause to believe that it lacks adequate 
information to know the identity of existing customers, determining the 
identity of those existing customers;
    (ii) Determining the customer's sources of funds for transactions 
involving the bank;
    (iii) Determining the particular customer's normal and expected 
transactions involving the bank;
    (iv) Monitoring customer transactions and identifying transactions 
that are inconsistent with normal and expected transactions for that 
particular customer or for customers in the same or similar categories 
or classes, as established by the bank; and
    (v) Determining if a transaction should be reported in accordance 
with the OCC's suspicious activity reporting regulations and, if so, 
reporting accordingly.
    (e) Compliance with Know Your Customer program. The bank shall 
comply with its Know Your Customer program. To ensure compliance, the 
bank shall:
    (1) Provide for and document a system of internal controls;
    (2) Provide for and document independent testing for compliance to 
be conducted by bank personnel or by an outside party on a regular 
basis;
    (3) Designate an individual or individuals responsible for 
coordinating and monitoring day-to-day compliance; and
    (4) Provide for and document training to all appropriate personnel, 
on at least an annual basis, of the content and required procedures of 
the Know Your Customer program.
    (f) Availability of documentation. For all accounts opened or 
maintained in the United States, each bank must ensure that all 
information and documentation sufficient to comply with the 
requirements of this section are available for examination and 
inspection, at a location specified by an OCC representative, within 48 
hours of an OCC representative's request for such information and 
documentation. In instances where the information and documentation is 
maintained at a location other than where the customer's account is 
maintained or the financial services are rendered, the bank must 
include, as part of its Know Your Customer program, specific procedures 
designed to ensure that the information and documentation is reviewed 
on an ongoing basis by appropriate bank personnel in order to comply 
with this section.

    Dated: October 17, 1998.
Julie L. Williams,
Acting Comptroller of the Currency.
[FR Doc. 98-32333 Filed 12-4-98; 8:45 am]
BILLING CODE 4810-33-P